accounts-service: Rename allow-app-installation to be system-specific

This is in preparation for adding a second boolean for the flatpak user repository. Make the existing allow-app-installation boolean control permissions for the flatpak system repository. Having one boolean for each repository means we can allow users to install to their user repository by default (subject to OARS ratings), but not be allowed to install to the system repository. While changing the name and semantics of the boolean, flip its default value from True to False. Rather than letting any non-admin user install new apps by default (subject to OARS restrictions), re-limit it to admin users and users whose allow-system-installation key has been explicitly set to True by the admin. Signed-off-by: Philip Withnall <withnall@endlessm.com> https://phabricator.endlessm.com/T24457
2018-11-28 16:39:39 +00:00 · 2018-11-28 16:39:39 +00:00 · 3ec77740c7
commit 3ec77740c7
parent f2e7cbfd03
5 changed files with 66 additions and 61 deletions
--- a/accounts-service/com.endlessm.ParentalControls.AppFilter.xml
+++ b/accounts-service/com.endlessm.ParentalControls.AppFilter.xml
@ -61,16 +61,18 @@
    </property>

    <!--
-      allow-app-installation:
+      allow-system-installation:

-      Whether app installation is allowed for the user at all. If this is true,
-      the polkit check for allowing app installation succeeds, and the
-      oars-filter does not restrict this app, app installation can proceed.
+      Whether this user is allowed to install to the flatpak system repository.
+      If this is true, and if the polkit check for allowing app installation
+      succeeds, and if the oars-filter does not restrict this app, app
+      installation can proceed.

-      If this is false, the user is not allowed to install any apps.
+      If this is false, the user is not allowed to install any apps or runtimes
+      to the flatpak system repository.
    -->
-    <property name="allow-app-installation" type="b" access="readwrite">
-      <annotation name="org.freedesktop.Accounts.DefaultValue" value="true"/>
+    <property name="allow-system-installation" type="b" access="readwrite">
+      <annotation name="org.freedesktop.Accounts.DefaultValue" value="false"/>
    </property>
  </interface>
 </node>